Taking Privilege to Another Level

The client

For us, client confidentiality is key. So, while we can’t reveal names, know that the world’s leading organizations trust their offensive cybersecurity needs to us.

The focus of this attack was a large global financial organization.

The brief

The client’s network infrastructure was running multiple unsupported software, with very many misconfigurations. To add to this, the infrastructure was so large that it was proving overwhelming for the customer and internal IT teams. Luckily for us, best practices were definitely not in place, especially when it came to passwords.

The mission

Initial access

After running Responder, a tool used for NetBIOS and LLMNR spoofing, it was possible to retrieve user hashes, which were then cracked with another popular tool, hashcat. This gave us some credentials for our initial access in cleartext.

Once on the domain, and before doing anything else, we uploaded SharpHound.exe and pulled the JSON files into BloodHound. This gave us a much better idea of the attack surface and the potential paths we could follow next. With the domain credentials, we were able to pull all Kerberos ticket hashes, query the active directory domain and get an idea of potential attack paths.

Kerberos authentication allows authenticated domain users to request a TGS ticket for any service on the network. However, it does not check whether the user has access to the service in question. We can, therefore, use a user to request tickets for all the services. These tickets are encrypted with the service account’s NTLM hash, which can then be cracked offline. This was achieved and three tickets cracked.

With access to a service account password, we noticed this credential had access to multiple machines/servers via RDP and direct local admin rights. 

With admin access we could dump NTLM hashes of any local user/users and dump plaintext credentials from accounts that were configured to start a service. This led us to obtaining credentials for another two accounts, giving us admin access to another machine where we performed the same technique.

With a number of hashes cracked, and one being an administrator account, we now looked at escalating our privileges.

Escalation

Using the administrator’s username and password, it was possible to gain shell access via psexec.py script on multiple domains using the new credentials we had cracked. After getting onto the machine, it’s worth noting we are only a local admin and not system admin at this point.

After confirming we could upload files to the machine in the C:\Windows\Tasks folder, we were able to upload a malicious payload that bypassed the endpoint protection in place (which was confirmed with an un-obfuscated/test payload that got wiped after a few seconds). In turn, we caught a reverse shell on which we were then able to run Mimikatz. This allowed us to dump all the hashes in the memory, which led us to obtaining two domain admin account hashes/passwords.

With these domain admin credentials it was then possible to laterally move to another machine. Once on this machine it was very easy to add a new user to the domain admins group and gain full control of the network.

The takeaway

This kill chain used multiple steps to effectively gain access and elevate privileges to that of a domain administrator. This took us only a few hours, and there was no indication that this activity had been detected.

One of the reasons we could get this far is simply because of the password policies in place, which, in this case, made it extremely easy to obtain our initial access. Our engagement also highlighted misconfigurations which, on big corporate networks, could have devastating consequences.

We guided the client through the remediation process, and started with the things that they could push out quickly, including stricter password policies. When, after a few weeks, we performed some more testing, we noticed a significant improvement in their security posture.

From a data-loss point of view, the mitigations and remediation advice we gave potentially saved them from being victim to a possible breach, which would have cost millions of pounds.